
UTILITY PATENT APPLICATION TRANSMITTAL 
(New Nonprovisional Applications Under 37 CFR § 1.53(b)) 



Attorney Docket No. 
1018.029US1 



TO THE ASSISTANT COMMISSIONER FOR PATENTS: 

O Transmitted herewith is the patent apphcation of ( ) application identifier or (X) first named inventor, Luca Cardelh , entitled 
Ambient Calculus-Based Modal Logic Model Checking , for a(n); 



(X) 

( ) 



Original Patent Application. 

Continuing Application (prior application not abandoned): 



( ) 



Continuation ( ) Divisional 
of prior application No: 



( ) Continuation-in-part (CIP) 
Filed on: . 



( ) A statement claiming priority under 35 USC § 120 has been added to the specification- 



Enclosed are: 
(X) 
(X) 



Specification; 45 Total Pages. 



(X) Drawing(s); 



Total Sheets. 



o 

ro"^ — i 

U>C=3 : 

0 I 



=9\ 



X 



Oath or Declaration: 
(X) A Newly Executed Combined Declaration and Power of Attorney: 

(X) Signed. ( ) Unsigned. ( ) Partially Signed. 

( ) A Copy from a Prior Application for Continuation/Divisional (37 CFR § 1 .63(d)). 

( ) Incorporation by Reference. The entire disclosure of the prior application, from which a copy of the 
oath or declaration is supplied, is considered as being part of the disclosure of the accompanying 
application and is hereby incorporated herein by reference. 
( ) Signed Statement Deleting In ventor(s) Named m the Prior Application. (37 CFR § 163(d)(2)). 
Power of Attomey. (X) Return Receipt Postcard. 

Associate Power of Attomey. ( ) A Check in the amount of S for the Fihng Fee. 

Preliminary Amendment. ( ) Information Disclosure Statement and Form PTO- 1449. 

A Duplicate Copy of this Form for Processing Fee Against Deposit Account. 
A Certified Copy of Priority Documents (if foreign priority is claimed). 

Statement(s) of Status as a Small Entity. - - 

Data Entry Format sheets for OCR. 

Assignment recordation cover sheet and assignment papers. 



CLAIMS AS FILED 


FOR 


NO. FILED 


NO. EXTRA 


RATE 


FEE 


Total Claims 


19 


0 


$18.00 


$ 0.00 


Independent Claims 


5 


2 


$78.00 


$ 156.00 


Multiple Dependent Claims (if applicable) 


$0.00 


Assignment Recording Fee 


$0.00 


Basic Filing Fee 


$760.00 


Total Filing Fee 


$916.00 



Charge $. 



_ to Deposit Account 



pursuant to 37 CFR § 1 .25. At any time during the pendency 



of this application, please charge any fees required or credit any overpayment to this Deposit Account. 



RespectfuUy sub: 
By: 



. Dryja, Attorney of Recoril^R 



Michael A. Dryja, Attomey of RecoriyReg. No.39662 

Date: 10/29/99 

Correspondence Address: 

Law Offices of Michael Dryja 
704 228th Avenue NE PMB 694 
Redmond, WA 98053 
Phone: 425-427-5094 
Fax: 206-374-2819 



I hereby certify that this is being deposited with the U.S. Postal 
Service "Express Mail Post Office to Addressee" service under 
37 CFR § 1 . 10 on the date indicated below and is addressed to: 

Assistant Commissioner for Patents 
Box Patent Application 
Washington, D.C. 20231 



By: 




timgton, U.C. 20261 



Typed Name: Michael A. Dryja 

Express Mail Label No.. EJ243665405US 

Date of Deposit: 10/29/99 



Inventor Information 



Inventor One Given Name : : 

Family Name: : 

Postal Address Line One:: 

City: : 

Country: : 

Postal or Zip Code: : 
Citizenship Country: : 

Inventor Two Given Name : : 

Family Name: : 

Postal Address Line One:: 

City: : 

Country: : 

Postal or Zip Code:: 
Citizenship Country: : 



Correspondence Information 

Name Line One: : 
Name Line Two:: 
Address Line One:: 
Address Line Two:: 
City: : 

State or Province: 
Postal or Zip Code:: 
Telephone : : 
Fax: : 

Electronic Mail One: : 
Electronic Mail Two:: 



Luca 
Cardelli 

7 Boathouse Court 
Cambridge 
United Kingdom 
CB4 IDU 
Italian 

Andrew 
Gordon 

110 Hemingford Road 

Cambridge 

United Kingdom 

CBl 3BZ 

British 



Michael Dryja, Esq. 

Law Offices of Michael Dryja 

704 228th Avenue NE 

PMB 694 

Redmond 

WA 

98053 

(425) 427-5094 
(206) 374-2819 
mike@dryj apat . com 
sherry@dry j a . com 



Application Information 



Title Line One: : 
Title Line Two:: 
Total Drawing Sheets:: 
Formal Drawings?:: 
Application Type: : 
Docket Nxomber: : 



Ambient Calculus-Based Modal Logic 

Model Checking 

5 

Yes 

Utility 
1018.029US1 



Representative Information 
Registration Number One:: 39,662 



1 



Registration Number Two:: 32,628 
Registration Number Three:: 32,022 



Continuity Information 

This application is a: : 
>Application One: : 
Filing Date: : 

This application is a: : 
>Application Two:: 
Filing Date: : 



Non Prov. of Provisional 

60/125,010 

03-18-99 

Non Prov. of Provisional 

60/132,600 

05-05-99 



AMBIENT CALCULUS-BASED MODAL LOGIC MODEL CHECKING 



RELATED APPLICATIONS 

This application is related to the cofiled, copending and coassigned application 
entitled "Ambient Calculus-Based Modal Logics for Mobile Ambients" [docket no. 
1018.021US1]. 

FIELD OF THE INVENTION 

This invention relates generally to ambient calculus-based modal logics, and more 
specifically to model checking for such ambient calculus-based modal logics. 

BACKGROUND OF THE INVENTION 

Computing has become increasingly interconnected. Whereas before computers 
were discrete, unconnected imits, because of the Internet as well as other networks, they 
are increasingly fluid, interconnected units. A computer program, which may be made up 
of one or more executable processes, or threads, may be mobile. For example, a thread of 
the program may move from computer to computer over the Internet. It may be executed 
in a distributed fashion over many computers, or a different instance of the thread may be 
run on each of many computers. 

The movement of threads from computer to computer, or even to different parts 
within the same computer, poses new security and other risks for which there is no formal 
analysis mechanism. For example, a thread may be unstable, such that having it be run 
on a particular computer may cause the computer to crash. More so, the thread may be 
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malicious, such as part of a virus program, such that its purpose is to compromise the 
computers it moves to. 

More specifically, there are two distinct areas of work in mobility: mobile 
computing, conceming computation that is carried out in mobile devices (laptops, 
personal digital assistants, etc.), and mobile computation, conceming mobile code that 
moves between devices (agents, etc.). Mobility requires more than the traditional notion 
of authorization to run or to access information in certain domains: it involves the 
authorization to enter or exit certain domains. In particular, as far as mobile computation 
is concemed, it is not reahstic to imagine that an agent can migrate from any point A to 
any point B on the Intemet. Rather an agent must first exit its administrative domain 
(obtaining permission to do so), enter someone else's administrative domain (again, 
obtaining permission to do so) and then enter a protected area of some machine where it 
is allowed to run (after obtaining permission to do so). 

Access to information is controlled at many levels, thus multiple levels of 
authorization may be involved. Among these levels we have: local computer, local area 
network, regional area network, wide-area intranet and intemet. Mobile programs should 
be equipped to navigate this hierarchy of administrative domain, at every step obtaining 
authorization to move further. Laptops should be authorized to access resources 
depending on their location in the administrative hierarchy. 

In general, a process or thread resides within a container referred to as an ambient. 
The ambient includes one or more processes or threads, as well as any data, etc., that 
move with the processes or threads. An ambient that can move is referred to as a mobile 
ambient. The ambient can be any type of container: a software container such as a 



particular part of an operating system, for example, as well as a hardware container, such 
as a particular computer or peripheral device. 

More specifically, an ambient has the following main characteristics. First, an 
ambient is a bounded placed where computation happens. The interesting property here is 
5 the existence of a boundary around an ambient. Examples of ambients include: a web 
page (bounded by a file), a virtual address space (bounded by an addressing range), a 
Unix file system (bounded within a physical volume), a single data object (boxinded by 
"self) and a laptop (bounded by its case and data ports). Non-examples are: threads (the 
boundary of what is "reachable" is difficult to determine) and logically related collections 
10 of objects. 

Second, an ambient is something that can be nested within other ambients. For 
example, to move a running appKcation fi-om work to home, the apphcation must be 
removed firom an enclosing (work) ambient and inserted in a different enclosing (home) 
ambient. A laptop may need a removal pass to leave a workplace, and a government pass 

15 to leave or enter a country. 

Third, an ambient is something that can be moved as a whole. If a laptop is 
connected to a different network, all the address spaces and file systems within it move 
accordingly and automatically. If an agent is moved from one computer to another, its 
local data should move accordingly and automatically. 

20 As mentioned, there is no formal analysis mechanism within the prior art for such 

mobile ambients. This means that there is no manner by which to describe formally, for 
example, a security policy for a given computer system, which could be applied against a 
mobile ambient within a formal analysis mechanism to determine if the ambient poses a 
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security or other risk to the system. In particular, most formal analysis mechanisms, or 
frameworks, only provide for temporal distinction among processes and ambients, but 
assume that the processes and ambients are stationary - or otherwise do not provide for 
spatial distinction among them. Furthermore, there is no manner by which to formally 
verify that a pohcy or other model for process and ambients can be verified for 
correctness. 

For these and other reasons, there is a need for the present invention. 

SUMMARY OF THE INVENTION 

The invention relates to ambient calculus-based modal logic model checking. In 
one embodiment, a computer-implemented method receives a process, which is also 
referred to as a thread or agent in varying embodiments. The method analyzes the 
process against a formula using a predetermined modal logic based on ambient calculus. 
The formula, for example, can represent a model to be checked, a pohcy to be verified, 
such as a security policy, etc. The method finally outputs whether the process satisfies 
the formula or not. 

In one embodiment, analysis of the process against the formula is conducted in a 
recursive manner The process is normaUzed to determine whether the process comprises 
only a single element. The process is partitioned to determine whether each component 
of the process satisfies the formula. A plurality of names of the process is determined, 
and it is verified that a name exists for the formula that is unequal to any of this plurality 
of names. Each sublocation of the process is analyzed against the formula. The spatial 
reach of the process is also analyzed against the formula. 



Embodiments of the invention provide for advantages over the prior art. A 
policy, such as a security or mobility policy, expressed in terms of a formula according to 
the modal logic can be verified in a formal manner. For example, the logic can be used to 
describe a policy as how an applet can move around among different containers, or 
ambients. A process can then be matched, or analyzed, against this formal description of 
the policy. The policy can be intricate, stating, for example, how a process can run on a 
specific machine, in detail. 

Embodiments of the invention include computer-implemented methods, 
computer-readable media, and computerized systems of varying scope. Still other 
embodiments, advantages and aspects of the invention will become apparent by reading 
the following detailed description, and by reference to the drawings, 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a diagram of an operating environment in conjxmction with which 
embodiments of the invention may be practiced; 

FIG. 2 is a diagram of an example environment of ambients and processes in 
conjunction with which embodiments of the invention may be practiced; 

FIG. 3 is a flowchart of a method according to an embodiment of the invention; 

and, 

FIGs. 4-5 are diagrams of example situations of mobile ambients utilized in 
conjxmction with the modal logic of varying embodiments of the invention. 



DETAILED DESCRIPTION OF THE INVENTION 



Organization of the Detailed Description 

The detailed description is organized as follows. The first section, the 

5 introduction, provides guidelines as to how to interpret the other sections of the detailed 
description. The second section describes an operating environment in context with 
which embodiments of the invention can be practiced. The third section provides a 
description of a mobile computing environment, which also gives guidance as to the 
context in which embodiments of the invention can be practiced. The fourth section 

10 describes modal logics, in accordance with which embodiments of the invention can be 
practiced. This fourth section includes various sub-sections, each of which detail different 
aspects of such modal logics. The fifth section highlights some examples of processes 
and formulas in the context of such modal logics. 

The sixth section presents methods according to embodiments of the invention, 

1 5 which rely on the modal logics of the fourth section. The methods relate generally to 
analyzing processes against formulas in the context of the modal logics. Finally, a 
conclusion is given in the seventh section of the detailed description. 

Litroduction 

20 In the following detailed description of exemplary embodiments of the invention, 

reference is made to the accompanying drawings which form a part hereof, and in which 
is shown by way of illustration specific exemplary embodiments in which the invention 
may be practiced. These embodiments are described in sufficient detail to enable those 
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skilled in the art to practice the invention, and it is to be understood that other 
embodiments may be utilized and that logical, mechanical, electrical and other changes 
may be made without departing from the spirit or scope of the present invention. The 
following detailed description is, therefore, not to be taken in a limiting sense, and the 
5 scope of the present invention is defined only by the appended claims. 

Some portions of the detailed descriptions which follow are presented in terms of 
algorithms and symbolic representations of operations on data bits within a computer 
memory. These algorithmic descriptions and representations are the means used by those 
skilled in the data processing arts to most effectively convey the substance of their work 

0 10 to others skilled in the art. An algorithm is here, and generally, conceived to be a self^ 
P consistent sequence of steps leading to a desired result. The steps are those requiring 
^ physical manipulations of physical quantities. Usually, though not necessarily, these 
nS quantities take the form of electrical or magnetic signals capable of being stored, 

transferred, combined, compared, and otherwise manipulated. (It is noted that the terms 

1 y 1 5 document and text are used interchangeably herein and should be construed as 
nfl interchangeable as well.) 

It has proven convenient at times, principally for reasons of common usage, to 
refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the 
like. It should be home in mind, however, that all of these and similar terms are to be 
20 associated with the appropriate physical quantities and are merely convenient labels 
applied to these quantities. Unless specifically stated otherwise as apparent from the 
following discussions, it is appreciated that throughout the present invention, discussions 
utilizing terms such as processing or computing or calculating or determining or 
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displaying or the like, refer to the action and processes of a computer system, or similar 
electronic computing device, that manipulates and transforms data represented as 
physical (electronic) quantities within the computer system's registers and memories into 
other data similarly represented as physical quantities within the computer system 
memories or registers or other such information storage, transmission or display devices. 

Operating Environment 

Referring to FIG. 1 , a diagram of the hardware and operating environment in 
conjunction with which embodiments of the invention may be practiced is shown. The 
description of FIG. 1 is intended to provide a brief, general description of suitable 
computer hardware and a suitable computing environment in conjunction with which the 
invention may be implemented. Although not required, the invention is described in the 
general context of computer-executable instructions, such as program modules, being 
executed by a computer, such as a personal computer. Generally, program modules 
include routines, programs, objects, components, data structures, etc., that perform 
particular tasks or implement particular abstract data types. 

Moreover, those skilled in the art will appreciate that the invention may be 
practiced with other computer system configurations, including hand-held devices, 
multiprocessor systems, microprocessor-based or programmable consumer electronics, 
network PC's, minicomputers, mainframe computers, and the like. The invention may 
also be practiced in distributed computing environments where tasks are performed by 
remote processing devices that are linked through a communications network. In a 
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distributed computing environment, program modules may be located in both local and 
remote memory storage devices. 

The exemplary hardware and operating environment of FIG. 1 for implementing 
the invention includes a general purpose computing device in the form of a computer 20, 
including a processing unit 21, a system memory 22, and a system bus 23 that operatively 
couples various system components include the system memory to the processing unit 21 . 
There may be only one or there may be more than one processing unit 21, such that the 
processor of computer 20 comprises a single central-processing unit (CPU), or a plurahty 
of processing units, commonly referred to as a parallel processing environment. The 
computer 20 may be a conventional computer, a distributed computer, or any other type 
of computer; the invention is not so limited. 

The system bus 23 may be any of several types of bus structures including a 
memory bus or memory controller, a peripheral bus, and a local bus using any of a 
variety of bus architectures. The system memory may also be referred to as simply the 
memory, and includes read only memory (ROM) 24 and random access memory (RAM) 
25. A basic input/output system (BIOS) 26, containing the basic routines that help to 
transfer information between elements within the computer 20, such as during start-up, is 
stored in ROM 24. The computer 20 further includes a hard disk drive 27 for reading 
from and writing to a hard disk, not shown, a magnetic disk drive 28 for reading from or 
writing to a removable magnetic disk 29, and an optical disk drive 30 for reading from or 
writing to a removable optical disk 31 such as a CD ROM or other optical media. 

The hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are 
connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive 



interface 33, and an optical disk drive interface 34, respectively. The drives and their 
associated computer-readable media provide nonvolatile storage of computer-readable 
instructions, data structures, program modules and other data for the computer 20. It 
should be appreciated by those skilled in the art that any type of computer-readable media 
5 which can store data that is accessible by a computer, such as magnetic cassettes, flash 
memory cards, digital video disks, Bernoulli cartridges, random access memories 
(RAMs), read only memories (ROMs), and the like, may be used in the exemplary 
operating environment. 

A number of program modules may be stored on the hard disk, magnetic disk 29, 
10 optical disk 31, ROM 24, or RAM 25, including an operating system 35, one or more 
g appUcation programs 36, other program modules 37, and program data 38. A user may 

:3 enter commands and information into the personal computer 20 through input devices 

y such as a keyboard 40 and pointing device 42, Other input devices (not shown) may 

' include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and 

^ 1 5 other input devices are often connected to the processing unit 21 through a serial port 
S interface 46 that is coupled to the system bus, but may be connected by other interfaces, 

such as a parallel port, game port, or a universal serial bus (USB). A monitor 47 or other 
type of display device is also connected to the system bus 23 via an interface, such as a 
video adapter 48. In addition to the monitor, computers typically include other peripheral 
20 output devices (not shown), such as speakers and printers. 

The computer 20 may operate in a networked environment using logical 
connections to one or more remote computers, such as remote computer 49. These 
logical connections are achieved by a communication device coupled to or a part of the 
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computer 20; the invention is not limited to a particular type of communications device. 
The remote computer 49 may be another computer, a server, a router, a network PC, a 
client, a peer device or other common network node, and typically includes many or all 
of the elements described above relative to the computer 20, although only a memory 
storage device 50 has been illustrated in FIG. 1 . The logical connections depicted in FIG. 
1 include a local-area network (LAN) 51 and a wide-area network (WAN) 52. Such 
networking environments are commonplace in office networks, enterprise-wide computer 
networks, intranets and the Intemal, which are all types of networks. 

When used in a LAN-networking environment, the computer 20 is connected to 
the local network 51 through a network interface or adapter 53, which is one type of 
communications device. When used in a WAN-networking environment, the computer 
20 typically includes a modem 54, a type of communications device, or any other type of 
commxuiications device for establishing communications over the wide area network 52, 
such as the Internal. The modem 54, which may be internal or extemal, is connected to 
the system bus 23 via the serial port interface 46. In a networked environment, program 
modules depicted relative to the personal computer 20, or portions thereof, may be stored 
in the remote memory storage device. It is appreciated that the network connections 
shown are exemplary and other means of and communications devices for estabUshing a 
communications link between the computers may be used. 

Mobile Computing Environment 

In this section of the detailed description, an example mobile computing 
environment in conjunction with which embodiments of the invention can be practiced. 
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That is, an example mobile computing environment, made up of ambients (containers) 
and processes (threads), is presented. Modal logics can then be used to represent these 
ambients and processes, as well as describe configurations of multiple such ambients and 
processes, and policies and formulas against which specific ambients and processes can 
be applied to determine if they satisfy the policies and formulas. That is, model checking 
as described herein can be used in accordance with such modal logics. 

Referring to FIG. 2, an example mobile computing environment 200 is shown. 
The environment 200 specifically includes ambients, or containers, 202, 204 and 206. As 
shown in FIG. 2, the ambient 202 resides vdthin the ambient 204. The ambient 202 is 
named a; the ambient 204 is named b\ and, the ambient 206 is named c. A process P 
resides within the ambient 204, while a process Q resides within the ambient 202, and 
processes R and S reside within the ambient 206. 

As has been described, each ambient, or container, can be a software or a 
hardware container, A software container may be a particular area defmed by an 
operating system. Examples include stacks, heaps, sand boxes, as the latter term is 
referred to in the context of the Java programming language, etc. A hardware container 
may be a particular computer, such as a client or a server computer, as well as a particular 
computer peripheral. An example of a computer has been described in the preceding 
section of the detailed description. 

More specifically, an ambient as used herein has the following properties: 

• Each ambient has a name. The name of an ambient is used to control access 
(entry, exit, communication, etc.). In a reahstic situation the true name of an 
ambient would be guarded very closely, and only specific capabilities would be 
handed out about how to use the name. In our examples we are usually more 
liberal in the handling of names, for sake of simplicity. 

12 



• Each ambient has a collection of local agents (referred interchangeably herein as 
threads or processes). These are the computations that run directly within the 
ambient and, in a sense, control the ambient. For example, they can instruct the 
ambient to move. 

5 • Each ambient may have a collection of subambients. Each subambient has its own 

name, agents, subambients, etc. 

Names refer to: 

10 • something that can be created, passed around and used to name new ambients. 

• something from which capabilities can be extracted. 



The logic of embodiments of the invention pertains to a mobile computing 
environment. Thus, the ambients of FIG. 2 are mobile. As shoAvn in FIG. 2, for example, 

1 5 the ambient 202 is moving out of the ambient 204. There may be, for example, a 

particular policy or formula, expressed in the logic, that defines whether such a move can 
occur, such that it can be appUed against the ambient 202 and the policy therein to 
determine whether such a move should be allowed to occur. Each of the ambients and 
their resident processes are also representable in the logic of embodiments of the 

20 invention, which is described in the next section of the detailed description. 



Modal Logic 

In this section of the detailed description, modal logics based on ambient calculus, 
and providing for spatial relationships among processes of containers are presented. The 
25 logic makes assertions about the containment and contiguity of containers. Part of the 
logic is concerned with matching the syntactic structure of expressions in the calculus. 
The matching of the structure of formulas to the structure of processes is done in a 
flexible manner, up to a process equivalence, such that it is not entirely syntactical. A 
number of logical inference rules, including rules for propositional logic, rules for modal 
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operators such as time, space and vaUdity, and rales for locations and process 
composition are also derived. 



Basic Ambient Calculus 
5 The following table summarizes a basic ambient calculus upon which a modal 

logic according to an embodiment of the invention is based. There is no name restriction 
in the basic ambient calculus. The subsequent tables summarize the syntax of processes, 
the structural congruence relation between processes, and the reduction semantics. 



m 10 




processes 




0 


inactivity 




P\Q 


composition 




IP 


replication 




M[P] 


ambient 


m 15 


M,P 


capability action 




{nyp 


input action 




(M) 


async output action 




M::= 


messages 


;| 20 


n 


name 




in M 


can enter into M 




out M 


can exit out of M 




open M 


can open M 




8 


null 


25 


MM' 


path 



Inactivity for a process means that the process does nothing; that is, it has no 



activity. The composition P \ Q means there is a resulting process composed of both P 
and Q. Replication means that the process has been replicated, or duplicated, as opposed 
30 to moving from one container to another; the repUcation \P means the same effectively 
as an infinite array of replicas of P running in parallel.. The ambient M [P] means that 
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the process P resides within the container, or ambient, M. The capabiUty action 
M.P means that the process is capable of the action, or functionahty, M followed by the 
continuation P. The input action {n),P means that the process can accept an input 
message, bind it to n and continue with P. The asynchronous output action {M) means 

5 that the process performs an output of the message M and stops. 

A message expression M can take one of several forms. It can be a name w. It 
can be one of the capabilities, in M, out M, or open M, whose effect when exercised, 
respectively, is to move the enclosing ambient into a sibling M, to move the enclosing 
ambient out its parent M, or to dissolve the boundary around an adjacent ambient M It 

10 can be a null capability s. Or it may be a path MM\ whose effect is that of exercising 
first M and then M\ A process P has a set of free names, written disfit(P), which 
generally refers to any of the names textually occurring in the process P can take. More 
formally, ywfPj is defined by the following table. 

(1) >(0)@5^ (8)/«(n)@[«} 

(2) /n [P I Q) @fii (P) u fit {Q) {9)fn {in M) @fn (M) 

(3) >(!P) @jn{P) {\G)fn{putM) @fii{M) 

(4) >(M[P]) @Xm)u fii{P) {\\)fn{open M) @fii{M) 
{5)fn {M.P) @fn (M) u fit (P) (12)^ [s] @^ 

(6) fn {{nyp) @fit (P) - {n} (13)/« {MM ^ @fit (M) u fn {M 

(7) >((M})@^(M) 
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The thirteen statements within this table are explained as follows. The first 
statement states that there are no free names for the inactivity process. The symbol @ 
specifies that the left-hand side of the symbol is defined as the right-hand side of the 
symbol. This definition is appUcable in any statement in which the symbol @ appears. 

15 



The second statement states that the free names for the composition P\Q are the free 
names for P conjoined with the free names for Q, The third statement states that when a 
process is replicated from another process, it has the same free names as that latter 
process. The fourth statement states that the free names of a container M having therein a 
process P are the free names of Mby itself conjoined with the free names of P - that is, 
M[P] cannot take on any names that are not allowed by either M itself or P itself. The 
fifth statement states that the free names of the input action {n),P are the free names of 
the process P, minus the name n. 

The seventh statement states that the free names of the asynchronous output 

action (M) are the same as the free names of the message M itself The eighth statement 
means that the free names of a name n is the singleton set containing n. The ninth 
statement means that the free names of the capability "can enter into M" are the same as 
the free names of M itself. Likewise, the tenth and eleventh statements means that the 
free names of the capabilities "can exit out of M" and "can open M," respectively, are the 
same as the free names of M itself. The twelfth statement states that there are no free 
names for the null capability. The last statement states that the free names of the path 
MM' are equal to the free names of M conjoined with the free names of M', 

Furthermore, it is noted that the terminology P{n<-M} is used for the substitution 
of the capability M for each free occurrence of the name n in the process P, and similarly 

Structural congruence is defined as summarized in the following table. We use the 
symbol ^ to denote the relation of structural congruence, and in general vmte the phrase 
P^Q to mean that processes P and Q are equal up to structural congruence. 
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(I)P^P 


(Struct Keilj 






(3)P = g,^ = F 




(4)P^Q.=>P|i?-e|i? 


(Struct Par) 




(Struct Repl) 




(Struct Amb) 


(J)P = Qz^M.P = M.Q 


(Struct Action) 




/"Stnirt TriTHitl 


(9)£.P = P 


(Struct s) 


(10)(M.M').P = M.M'.P 


(Struct .) 


(ll)^iy = y K 


(Struct Par Comm) 


(i2)(pi!2)ii?=i'i(eii?) 


(Struct Par Assoc) 


(13)!P = P1!P 


(Struct Repl Par) 


(14)PiO = P 


(Struct Zero Par) 


(15)!0 = 0 


(Struct Zero Repl) 



This table is explained as follows. Structural reflectivity means that P is equal to 
P. Structural symmetry means that if P equals Q, then Q equals P. Structural 
transitivity means that if P equals g and g equals R, then P also equals R. The fourth 
statement means that if P equals Q, then the composition P | i? is equal to the composition 
Q I R. The fifth statement means that if P equals Q, then the replication of P equals the 
replication of Q. The sixth statement means that if P equals Q the ambient M in which P 
is contained, M^P], equals the ambient Min which Q is containe4 M{Q\. Similarly, the 
seventh statement means that if P equals Q, then the exercise of the expression Mbefore 
the action of P, M.P, is equal to the exercise of the expression Mbefore the action of 
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M,Q. The eighth statement means that if P equals Q, then P prefixed by the input action 
X is equal to Q prefixed by the input action x. 

The ninth statement means that prefixing the process P with the null capability is 
the same as just stating the process P. The tenth statement means that stating (M.M')P is 

5 the same as stating M.M\P, The eleventh statement is the commutative property, that the 
composition P\Q is equal to the composition Q\P. The twelfth statement is the 
associative property, that the composition of(P\Q) and R is equal to the composition of P 
and (Q\Ry The thirteenth statement states that the replication of P is equal to the 
composition P\ !P. The fourteenth statement is an identity statement, that the composition 

10 of P and the inactivity process is equal to P, while the fifteenth statement states that 
replicating the inactivity process is equal to the inactivity process itself. 

Reduction is summarized in the next table. In it, the left side of the arrow (^) 
reduces to the expression on the right side of the arrow. 



{l)n[inm.P\Q]\m[R]-^m[n[P\Q] 




(Red In) 


i2)m[n [out m.P\Q]\R]^ n[P\Q]\m[R] 


(Red Out) 


(3)openn.P\nlQ]^P\Q 




(Red Open) 


(4){n).P\{M)^P{n<^M} 




(Red Comm) 


i5)P->Q^n[P]^n[Q] 




(RedAmb) 


(6)P-^Q=>P\R^Q\R 




(Red Par) 


(7)P' = P,P -» Q,Q ^Q'=>P'^Q' 




(RQd=) 


(8)-^* 




reflexive and transitive closure of — > 



Finally, the following syntactic conventions and abbreviations, as summarized in 
30 the next table, are used herein. A fact is also provided. 
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Syntactic conventions 

]P\Q is read (}P)\Q 

M.P\Q is read {M,P)\Q 

{n).P\Q is read 

Abbreviations 

n[ ] @n[0] 

M @A/.0 (where appropriate) 

Fact 

n[P] ^m[P'] iff n^m and P = P" 
Logical Formulas 

In this next sub-section, logical formulas of the modal logic, according to one 
embodiment of the invention, are presented. The logical formulas are based on a modal 
predicate logic with classical negation, as can be appreciated by those of ordinary skill 
within the art. Many connectives are interdefinable: existential formulations are given 
preference, because they have a more intuitive meaning than the corresponding universal 
ones. Two tables are provided: one specifying the logical formulas, and the next 
specifying connectives derived from the logical formulas. 



A, 


B, C ::= 




1 


T 


trae 


2 




negation 


3 


A V B 


disjunction 


4 


n[A] 


location 


5 


A' |A" 


composition 


6 


3«.A 


existential quantification over names 


7 


^A 


somewhere modality (spatial) 


8 


OA 


sometime modality (temporal) 


9 


A@n 


location adjunct 


10 


A>B 


composition adjunct 
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The logical formulas of the preceding table are described as follows. The first 
statement is a logical true, while the second statement is a logical negation and the fourth 
statement is a logical disjunction. The fourth statement means that the process A is 
located within the container, or ambient, n. The fifth statement is a logical composition. 
The sixth statement specifies the existential quantifier operation, that there is some 
process A within the container named n. The seventh statement specifies a spatial 
operator, that somewhere, at some location, the process A exists. That is, within some 
container, anywhere in the domain space being considered, the process A exists. 
Similarly, the eighth statement specifies a temporal operator, that at some point in time, 
the process A will exist (or currently exists). The ninth statement specifies that the 
process A exists within the container named w. Finally, the tenth statement is a logical 
composition adjunct. 



IF 




false 


2 A A B 


@-,(-.A V ->B) 


conjunction 


3 A B 


@-iA V B 


implication 


4 A B 


@(A => B) A (B =?> A) 


logical equivalence 


SAB 


@-n(-nA 1 --B) 


decomposition 


6 !A 


(gA F 


every component satisfies A 


7?A 


@A 1 T (<» -i!-iA) 


some component satisfies A 


8 V«.A 


@-i3n.-iA 


universal quantification over names 


9 MA 


@-.^-iA 


everywhere modality (spatial) 


10 OA 


@-iO-iA 


everytime modality (temporal) 


11 A@ 


@^n.A@n 


in every location context 


12 >A 


@r>A 


in every composition context 



The derived connectives of the preceding table are explained as follows. The first 



statement is the logical false, and is derived and defined as a fiinction of the logical true. 
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The second statement is the logical conjunction, while the third statement is the logical 
implication and the fourth logical equivalence. The fifth statement specifies logical 
decomposition. The sixth statement defines !A as universal satisfaction, that every 
component satisfies the process A. Likewise, the seventh statement defmes ? A as 
partial satisfaction, that some component satisfies the process A. The eighth statement 
defines the xmiversal quantifier V in terms of the existential quantifier 3; that all the 
processes A are within the container n. The ninth statement states that the process A 
exists everywhere, fi-om a spatial perspective, while the tenth statement states that the 
process A has existed, and still exists, at every time. The eleventh and twelfth statements 
specify the in every location context and the in every composition context, respectively, 
and are derived firom the eleventh and twelfth logical formula statements of the logical 
formulas table. 

Finally, the following syntactic conventions are utiUzed herein. 

• Parentheses are used for explicit precedence. 

• Infix binds stronger than '|', and they both bind stronger than the standard 
logical connectives. 

• Standard precedence is used for the standard logical connectives. 

• Quantifiers and modalities extend to the right as much as possible. 

Satisfaction 

The satisfaction relation P A (process P satisfies formula A) is defined 
inductively in the following tables, where fl is the sort of processes, <D is the sort of 
formulas, and A is the sort of names. Quantification and sorting of meta-variables are 
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made explicit because of subtle scoping issues, particularly in the definition of P 3n.A. 
Similar syntax for logical connectives is used at the meta-level and object-level. 

The meaning of the temporal modality is given by reductions in the operational 
semantics of the ambient calculus. For the spatial modality, the following definitions are 
needed. The relation PiP' indicates that P contains P' within exactly one level of nesting. 
Then, Pi^P' is the reflexive and transitive closure of the previous relation, indicating that 
P contains P' at some nesting level. Note that P' constitutes the entire contents of an 
enclosed ambient. 



PiP' iff 3«,P".P^w/P7|P'' 

4 * is the reflexive and transitive closure of >l 



VP:n. 


P T 






VP:n^:<D 


P -,A 




-,P A 




P AvB 




P AvP B 


VP:n,K:A, A:0. 


P n[A] 




3P':n.P = n[P']^P' A 


VP:n,A,B:<I). 


P A \ B 




3P'J'":n.P = P]P"/\P' AaP" B 


VP:n, n:A, A:<D. 


P 3n.A 




3m:A.P A{«<-m} 


Vi':n, A:<I> 


P ^A 




3P':U.pI*P'aP' a 


VF:n, A:0 


P OA 




3P':n.P-^*P'AP' A 




P A@n 




n[P] A 


VF:n, A,B:a). 


P A>B 




VP':n. P' A => P\P' B 


The logical connectives of the preceding table are read as follows: 



• Any process satisfies the T formula. 

• A process satisfies the -lA formula if it does not satisfy the A formula. 

• A process satisfies the AvB formula if it satisfies either the A or the B formula. 

• A process P satisfies the n[A] formula if there exists a process P' such that P = 
nlP"] andP' A. 

• A process P satisfies the A ' | A" formula if there exist processes P' and P" such 
that P = P'\P" with P' satisfying A ' and P" satisfying A" . 
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• A process P satisfies the fonnula 3n,A if there is a name m such that P satisfies 
A{n^m}, (N.B.: the meta-theoretical definition above precisely captures the fact 
that m can be instantiated to, but cannot itself clash with any name fi-ee in P.) 

• A process P satisfies the formula ^ A if A holds at some location P ' within P, 
where "sublocation" is defined by P>1* P \ 

• A process P satisfies the formula OA if A holds in the fiiture for some residual P * 
of P, where "residual" is defined by P * P 

• A process P satisfies the formula A@n if, when placed in an ambient n, the 
combination n[P] satisfies A. 

• A process P satisfies the formula A >B if, given any parallel context P ' satisfying 
A, the combination P *| P satisfies B. Another reading of P A >B is that P 
manages to satisfy B under any possible attack by an opponent that is bound to 
satisfy A. Moreover, " P satisfies (nA) >(nA)" means that P preserves the 
invariant A. 



VP:n. 


F 




VP:n, A, B:(l). 


P AaB 


iffP A aP B 


VF:n, A, 6:0). 


P A=>B 


iff F A => F B 


VP:n, A, B:<I>. 


P h<:>B 


iff P A <» P B 


VP:n,A, B:0. 


P A B 


ifrVP'^":n.P = P|P"=> P A V P" B 


VF:n, AiO). 


P !A 


iffVP'^":n.P = F|P"=> F A 


VP:n, A:0. 


P ?A 


iff3P'^":n.P = F|P"AP' A 


Vra,«:A, A:0. 


P Vn.A 


iff Vw: A. P A{n<-w} 


VP:n, A:(D. 


P HA 


iffVP':n.P4'*P'=> P A 


VP:n, A:0. 


P DA 


iffVP':n.P-^*P'=> P A 


VM, A:<1>. 


P A@ 


iffVn:A.PA@« 


WP-Il, A:0. 


P >A 


iffVP':n.P|P' A 


VP:n, A, B:0. 


P >(A=>B) 


iffVP':n.P'lP A => P'|P B (cf.PA>B 



The derived logical connectives of the preceding table are read as follows: 

• No process satisfies the F fonnula. 

• A process satisfies the A aB formula if it satisfies both the A and the B formula. 

• A process satisfies the A =>B fonnula if either it does not satisfy the A fonnula or 
it satisfies the B formula, 

• A process satisfies the A ^B formula if it satisfies neither or both the A and B 
formulas. 

• A process P satisfies the A'A" formula if for every decomposition of P into 
processes F and P" such that P = P|P", either F satisfies A' or P" satisfies A". 
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• A process P satisfies the ! A formula if every parallel component F of P (such 
that P = F\F\ including F = 0) satisfies the A formula. 

• A process P satisfies the ?A formula if there is a parallel component F of P (such 
that P ^ F\P") that satisfies the A formula. 

• A process P satisfies the formula Vn.A if for every name m, P satisfies A{n<r- 
m}. 

• A process P satisfies the formula 5^ A if A holds at every location F within P, 
where "sublocation" is defined by P>l*F. 

• A process P satisfies the formula dA if A holds in the future for every residual F 
of where "residual" is defined by P->*F. 

• A process P satisfies the fomiula A @ if, when placed in any ambient n, the 
combination n[P] satisfies A, 

• A process P satisfies the formula >A if for every process (i.e., for every context) 
the combination of P and with that process satisfies A. 

• If process P satisfies the formula A>B, it means that in every context that satisfies 
A, the combination (of P and the context) satisfies B. Instead, if process P 
satisfies the formula >(A=:>B), it means that in every context, if the combination 
satisfies A then the combination satisfies B. 

The following proposition states that the satisfaction relation is invariant under 
structural congruence. 

P = P'n>(P A^P' A) 

A Ust of examples of the satisfaction relations is now provided. These examples 

should appear intuitively true fi-om the definitions. 

Location 

n[] n[T] 

n[] I 0 n[T], because «[] | 0 = w[] 
n[m[]] n[m[T]] 
-.0 n[T] 

-im[] m[T],ifn#m 

Composition 

n[] I m[] n[T] \ m[T] 

n[] I m[] m[T] \ «[T], because n[] | m[] = m[] \ n[] 
n[]\P n[T]\T 

n[] n[T] I T, because n[] = n[] | 0 
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10 



15 



20 



25 



30 



35 



40 



\n[] «[T] I T, because \n[] = n[] \ \n[] 

n[T]\n[T] 
-nn[]|n[] n[T] 

-!«[] «[T] 

-in[] I open m n[T] 

Quantification 

n[] 3m.m[T] iff 3p. n[] /?[T] iff n[] n[T] iff true 
n[m[]] 3«.n[n[T]] iff 3;?. n[»i[]] i?[p[T]] iff false 
0 V«.-^n[T] 



Spatial Modality 

n[m[]] ^m[T] 

I ?«[]] ^'«[T] 

Temporal Modality 

n[m[]] I open n <>m[T] 
«[«[]] I opera n a(n[T] \ T) 

Location Adjunct 

«[] ?m[«[T]]@»i 
n[outm] (On[T])@m 

Composition Adjunct 

«[] m[T]>(«[T]|/«[T]) 
open n. m[] (□n[T])>(07«[T]) 

Presence 

ann = n[T] \ T 

wo w = -iflfM n 

one n = n[T] | no n 

unique n = n[^non]\ ^non 

!(n[T]=>n[A]) 



(there is now an n here) 

(there is now no n here) 

(there is now exactly one n here) 

(there is now exactly one n, and it is here) 

(every n here satisfies A) 



Validity and Satisfiability 

It is noted that a formula is vaUd if it is satisfied by every process, and is 
satisfiable if it is satisfied by some process. This is summarized in the following table. 



vldA = VP:n.PA 
satR = 3P:U.P A 



A is valid 
A is satisfiable 
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From these definitions, the following are obtained: 

vldA^ sat A 

5 vM(AaB) o vWA avWB 

vW(AvB) <=> vldA V vldB 

Validity is used for modeling logical inference rules, as described in the next 
definition. A linearized notation is used for inference rules, where the usual horizontal 
10 bar separating antecedencts fiom consequents is written V, and V is used to separate 
antecedents. 

Definition (Sequents and Rules) 
Sequents: 

A B = vldiA => B) 

Rules: 
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Ai Bi;...; A„ B„ / A B = 
20 Ai BiA..aA« B«=>A B (n>0) 

Ai Bi // A2 B2 = 

Ai B1/A2 B2AA2 B2/A1 Bi 
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Inference Rules 

In this section, logical inference rules firom the satisfaction relation are derived. 

The following is a non-standard presentation of the sequent calculus, where each 
sequent has exactly one assumption and one conclusion: A B. This presentation is 
30 adopted because the logical connectives introduced later do not preserve the shape of 
multiple-assumption multiple-conclusion sequents. Moreover, in this presentation the 
rules of prepositional logic become extremely symmetrical. Propositional logic is 
summarized in the following table. 

(A-L) Aa(CaD) B // (AaC)aD B 
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(A-R) A (CvD) vB // A Cv(DvB) 

(X-L) aaC B / CaA B 

(X-R) A CvB / A BvC 

(C-L) AAA B / A B 

(C-R) A BvB / A B 

(W-L) A B / AaC B 

(W-R) A B / A CvB 

(Id) / A A 

(Cut) A CvB; A' AC B' / AaA' BvB' 

(T) AaT B / a B 

(F) A FvB / A B 

(-.-L) A CvB / AA-.C B 

(-1-R) AaC B / A -iCvB 

(a) a B; A' B' / AAA' BaB' 

(v) A B; A' B' / AvA' BvB' 

The standard deduction rules of prepositional logic, both for the sequent calculus 
and for natural deduction, are derivable from the rales of the preceding table, as can be 
appreciated by those of ordinary skill within the art. As usual, A => B can be defined as 
5 -,AvB. 

For predicate logic the syntax of formulas (but not of processes) is enriched with 
variables ranging over names. These variables are indicated by letters x, y, z. Quantifiers 
bind variables, not names. Then, ifJv{A)={xj, ...,Xk} are the free variables of A and 
(peJv(A) -^A is a substitution of variables for names, Ap for A {xi<-(p(xi), Xk<^(^{xk)} 
10 is written, and the following is defined: 
vldA = VP:n.PA<p 

The following table summarizes quantifiers over names. 
(V-L) A {jc<-m}B/Vx. AB 

(V-R) A B/A Vx.B Where jcj^XA) 

(3-L) A B/3x. AB Where x^/v(B) 

(3-R) A B {x<^m} I A 3x.B 

15 
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This leads to the following □, 0, and « , ^ properties: 

(1) vW(n(AA B)on A AD B) 

(2) vW(m(aa B)<»n aaH B) 
5 (3) vW(d(A V B)<;:^> □ a vd B) 

(4) vW(tI(A V B)<» H A vH B) 

In the following table, it is propositioned that 0, and H , are modal S4: 



(0) 


/T OA -in-.A 




/T HA O -.H-,A 


(□K) 


/T n(A=> B)=>(i:iAoB) 


(HK) 


/T II(A=» B)=>(t(A=> HB) 


(oT) 


/T dA^^ a 


(HT) 


/T HA=> A 


(o4) 


/T DA nS-ODA 


(H4) 


/T HA^ HHA 


(□M) 


A B / DA OB 


(H M) 


A B/MA MB 


(OA) 


□(AaC) B // nAADC B 


(Ha) 


H(AaC) B// HAaHC B 


(□V) 


A □(CVB)//A DCvoB 


(H V) 


A H(CvB)//A HCvHB 



' S It is noted, that because 

ly -ivWOA ==> aOA 

W 15 

^ J the modalities are not S5, 

f Finally, location properties, location rules, composition properties, and 

m composition rules are listed. 

g 20 Location Properties 
J (1) vW(M[AAB]<»n[A] An[B]) 

(2) vW(ra[AvB]<^>n[A] v n[B]) 

Location Rules 
25 («[]) A B//«[A] h[B] 

(«[]a) «[AaC] B//«[A]a«[C] B 

(«[]a) a n[CvB]//A n[C]vn[B] 

Composition Properties 

30 

(1) vW(A|B=> B|A) 

(2) vld (A I (B I C) (A I B) 1 C) 

(3) vW ((AaB) I C =:> A|CaB|C) 

(4) vW((AvB)|C=:> A|Cv B|C) 
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Composition Rules 



(I) A' B';A" B"/A'|A" B'|B" 

5 (1a) (AaB)|C D/A|CaB|C D 

(|v) A (BvC)|D/A B|D V C|D 

(in) /A'lA"AB'nB" A'|B"v B'lA" 

(I-,) /-<(A'|A")A-n(B'|B") -n(B' I A") V (-nA' I -^B") 

(l-E) A B' I B"; A'a(B' I C") D; A"a(C' | B") D 
10 /(AA(A'AA"))A(C'nC") D 



Adjunctions 

The following propositions and corollaries relate to location adjunct rules, and 
15 composition adjunct rules. The first proposition states that A@n and n[h] are adjuncts. 

Proposition: Location Adjunct Rules 
(n[]@) n[A] B//A B@n 

Corollaries 
20 (1) vW«[A@«]=> A 
(2) vldA=> n[R]@n 

Proposition: Composition Adjunct Rules 
(|>) A|C B//A OB 

25 

Corollaries 

(1) vldA >B|B=i> B 

(2) vldA=> B>(AB) 

30 (3) vWA>B|B>C=> A>C 

Reflecting Validity 

In this sub-section, validity and satisfiability are reflected into the logic, by means 

35 of the > operator: 

VJdA s (^A)>F 
Sat A £ ^(A>F) 
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From this validity and satisfiability, two propositions and one lemma are 
described: 



10 



15 
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Proposition: Vld and Sat 

(1) vld Vld A ^ vld A 

(2) vld Sat AO sat A 

Lemma: Vld, Sat Properties 

(1) v/rf(F/4AAB)o VldA AVldB) 

(2) vld(Vld(AvB)<:> VldAy VldB) 

Proposition: Vld, Sat is Modal S5 

(Sat) /T SatA<:> -nVld-^A 

(VldK) IT Vld(A=> B) =?> ((F7JA) => (F7^/B)) 

(VldT) IT (VldA)^ A 

(Vld 5) IT (SatA)=>(VldSatA) 

(VldM) A B I VldA VldB 

(VldA) Vld(AAC) Bll VldA A Vide B 

(Vld^/) A F/rf(CvB)//A F/rfCv VldB 



25 Reflecting Name Equality 

Finally, it is noted that it is possible to encode name equality within the logic in 
terms of validity. It is recalled that ann = n[T] \ T. One proposition then follows. 



30 m = n = Vld(an m> ann) 
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Proposition 

vldm=n the names m and n are equal 
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Examples 

In this section of the detailed description, examples of mobile computing 
environments in conjunction with the modal logic of the preceding section are presented. 
Specifically, four separate situations are shown in the diagram of FIG, 6, and an 
additional situation is shown in the diagram of FIG. 7. Those of ordinary skill within the 
art can appreciate that the situations of FIGs. 6 and 7 are examples for illustrative 
purposes only, and do not represent a limitation on the invention. 

Referring first to FIG. 6, four situations are presented, situations 600, 602, 604 
and 606, In situation 600, a container n includes a process Q, and includes a poHcy 
telling the container how to behave. Specifically, the policy is in m.P, which instructs the 
container n including the process Q to move into the container m already having the 
policy R therein, as shown in situation 600. In situation 602, a container n includes a 
process Q, and the policy telling the container how to behave is out m.P, which instructs 
the container n including the process Q to move out of the container m also having the 
policy R therein, as shown. In situation 604, the policy or instruction open n,P is 
executed on the container n having the process Q, such that Q exits the container « as a 
result. Finally, in situation 606, a repUcated instruction is executed on the process P, 
such that an additional process P is made (that is, process P is copied). 

Referring next to FIG. 7, a commimication operation referred to as a note is 
shown in the situation 700. The note can reside within a container. The capabilities that 
can be held by the note include names, such as n, as well as action capabilities, such as in 
«, out «, open n, or a path, such as CC, as has been described in the modal logic section 
of the detailed description. 
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Methods 

In this section of the detailed description, computer-implemented methods 
according to varying embodiments of the invention are presented. The methods make use 
5 of the modal logics described in the previous section of the detailed description, which 
are based on ambient calculus and provide for spatial relationships among processes of 
containers. The methods relate to a model-checking algorithm. The computer- 
implemented methods are desirably realized at least in part as one or more programs 
running on a computer ~ that is, as a program executed from a computer- or machine- 
1 0 readable medium such as a memory by a processor of a computer. The programs are 
desirably storable on a machine-readable medium such as a floppy disk or a CD-ROM, 
for distribution and installation and execution on another computer. 

As described herein, the method references sub-methods norm, sublocation and 
reachable. In one embodmient of the invention, these sub-methods are implemented as 
1 5 described in a succeeding embodiment of the invention. 

Referring now to FIG. 3, a flowchart of a method according to an embodiment of 
the invention is shown. In 300, a process is input. This is the process that is to be 
analyzed. The process may be a thread, an applet, an agent, etc.; the invention is not so 
limited. The process itself may be a composition of one or more processes. For example, 
20 the process can be the composition P\Q\R, where each of P, g and i? is a separate 
process. Again, the invention is not so limited. 

302, 304, 306, 308, 310, 312, and 314 implement the analysis of the process 
against a formula, using a predetermined modal logic based on ambient calculus, 
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according to one embodiment of the invention. The formula against which the process is 
to be analyzed can be a poUcy, such as a security policy or a mobility policy, such that 
the policy is described using the predetermined modal logic, such as has been described 
in the preceding sections of the detailed description. In one embodiment, the process is 
5 analyzed in a recursive manner. The analysis of 302, 304, 306, 308, 310, 312 and 314 
can be summarized as a theorem, specifically, /or all restriction-free process P and >- 
free closed formulas A,P A if and only if Check(P,A), where CheckQ is the analysis of 
302, 304, 306, 308, 310, 312 and 314. 



10 initial checking of the process against the formula. First, it is checked that 

Check(P,T) = T . This means that if the formula is T then the outcome of the analysis is 
T for any process. Second, it is checked that Check{P,-\A ) = -iCheck(P,A ) . This 
means that if the formula is a negation -lA then the outcome of the analysis is the 
negation of a recursive analysis of the process P against formula A . . Third, it is checked 

15 that Check{P,A vb ) = Check(P,A ) v Check(P,3 ) . This means that the outcome of the 
analysis is the disjxmction of recursively checking the process P against formula A and 
checking the process Q against formula B . 

In 304 specifically, the process is normalized, and it is determined whether the 
process includes only one element, or entry. If there is more than one element, then the 

20 process fails against the policy. The check of 304 only applies if the formula is a location 
n[A]. This check can be expressed as: 



In 302 specifically, the process is analyzed in three ways, referred herein as an 
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In 306 specifically, the process is partitioned to determine whether each 

component of the process satisfies the formula, or poUcy. If any component fails against 

the policy, then the process itself fails. The check of 306 only applies if the formula is a 

composition A ' B. This check can be expressed as: 

Check (P, A I B ) = let [;r„ ^r^ ] = Norm (P) in 

[T if 37, J./UJ = 1.1a/I J = <1>^ 
^ . CheckiJ\,^l7t^,K)/KCheck(Y{.^JJtJ,^) 

F otherwise 

In 308 specifically, all of the names of the process are determined. Then, it is 

verified that a name exists for the formula that is unequal to any of the names of the 

process. If this verification fails, then the process itself fails against the pohcy . The 

check of 308 only appUes if the formula is an existential quantification 3xA. This check 

10 can be expressed as: 

Check{P,3x.K)=\Qi{m^,...,m^} = fn{P)V fn{K )in 

let wio g {wj , } be some firesh name in 
T if Check {P, k [x<r- m- }) for some i e 0..k 
F otherwise 

In one embodiment, a unification algorithm, as known within the art, can be used to 
effectuate the check of 308, to make the check more efficient. However, the invention is 
not so limited. 

15 In 3 10 specifically, each sublocation of the process is checked, or analyzed, 

against the formula, or process. If the check fails for any sublocation, then the process 
itself fails against the policy. The check of 3 1 0 only applies if the formula is a 
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somewhere modality ^A. This check can be expressed as: 

Check(P,^A ) = let[/J,...,Pj = SubLocations{P)m 
Jt if C/i^cA:(i^,A )forsomezGl.l . 
[f otherwise 

In 312 specifically, the spatial reach of the processed is checked, or analyzed, 

against the formula, or process. This check thus determines whether the process has a 

5 finite spatial reach. If the check fails, then the process itself fails against the policy. The 

check of 312 only applies if the formula is a sometime modahty OA. This check can be 

expressed as: 

Check{P,, A ) = let[i>,...,Pj = Reachable (P) in 

T if Check [P^, A ) for some L,A: . 
F otiierwise 

In 3 14 specifically, it is checked recursively that the process satisfies a formula 
10 when enclosed in a surrounding ambient. If the check fails, then the process itself fails 
against the pohcy. The check of 3 14 only apphes if the formula is a location adjunct 

A@n . This can be expressed as Check{P,A @n) = Check[n[P],A ). 

Finally, in 316, whether or not the process satisfied the formula - based on the 
analysis conducted in 302, 304, 306, 308, 310 and 312, is output. The invention is not 

1 5 limited to the maimer by which output is accompUshed. For example, in one 

embodiment, it can be output to a further analysis program or software component, that 
allows for analysis and conclusions to be drawn. As another example, the output can be 
displayed on a display device, or printed to a printer, etc. As a third example, output can 
mean storage to a storage device, for later and/or further analysis by a program or 

20 software component. 
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As can be appreciated by those of ordinary skill within the art, the above method 
can be effectuated by a system in one embodiment of the invention. That is, a system 



medium represents the process, and second data stored on the medium represents the 
formula. In such an instance, an analysis program is executed by the processor from the 
medium to analyze the process against the formula, for example, in a recursive manner. 

Sub-Methods 

In this section of the detailed description, the sub-methods norm, reachable, and 
sublocations, as referenced in the previous section of the detailed description, are 
described, according to one embodiment of the invention. However, the invention is not 
so limited to the embodiment of this section. 

First, the sub-method norm is described. Any replication-free process may be 
factored up to structural congruence into a normal form consisting of a composition of 
prime processes, where a prime process is an ambient, an action, an input, or an output. 

In the following table, the prime processes are first defined. The normal form is 
stated in terms of the following notation: for processes , let the notation 

riigi k^i^^ ^ori for the composition | ... [ ] 0. 
Prime processes, and normal forms: 

71 ::=r Prime process 



including a processor and a computer-readable medium, such that first data stored on the 




Ambient 



Action 



(x).i' 

{M) 



Input 
Ouput 
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^ Replication-free normal form 

Next, an algorithm is defined for computing normal forms. Given a process, the 
following function returns a list of primes, which represents a normal form of the process. 
The notation is used for a list of primes. List concatenation is written as 

5 follows: [;ri,..,,;rJ ++[<...,;r;] = [;rp...,;r^,;r;,.,.,;r;].Thenthenotation 

is used as a shorthand for P g {i^ , } . 

Computing a normal form of a replication-free process: 

Norm(M[P]) = [M[P]] 
Norm{0) = [ ] 

Norm (P I Q) - Norm (P) 4- -^Norm {Q) 

Norm {M.P) = Norm (P) if Head (M) =g 

Norm (M.P) = [M, . {M^ .P)] if Head {M) = M, 

iVbm((jc).P) = [(jc).P] 
Norm[{M))^\{M)'\ 

Since all the recursive calls are on subprocesses of the original process, the algorithm 
10 always terminates. Moreover, if Norm {P) = [7i:^,....,7u^]thenP^ Y\i^uk^i' 

Next, the sub-method sublocations is described. An algorithmic characterization 

of the P V P' predicate is used, which is used in the definition of the spatial modality. 

Specifically, we define a procedure SubLocations{P) for computing representatives of all 

processes P' such that P4* P' . The definition of SubLocations{P) depends on a 
15 subroutine Children(P), which computes representatives of all processes P' such that 

PiP\ 
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Computing the children of a normal form is as follows: 
aildren([ ]) = [] 



Children {P::Ps) = 



Q :: Children (Ps) if P = n [Q] 
Children [Ps) otherwise 



The following lemma and proposition are then given as: 
Lemma Suppose Children ([;r,,...,;rj) = . 

(1) ForaUieL.k,Ylj.u,^j^Pr 

(2) IfYl .^^ i^j^Q then Q = Pf for some i sl..k. 

Proposition Suppose Children (Norm (P)) = [i^ , ] . 

(1) Foralli&\..k,PX P,. 

{2) If Pi QthenQ = P( forsomei e l..k. 

Computing the sublocations of a process is then given as: 

SubLocations (P) = let[P„...,Pi^] = Children (Norm [P)) in 

[P] + +SubLocations (P^) + +... + +SubLocations (P^ ) 

The following lemma is needed, however. Note that it cannot be generalized to 
the reflexive case, that is, where i* is substituted for i* . 

Lemma IfP'^P,Pi^ Q, and Q^Q', then P' Q. 

A proposition is next given as. 

Proposition Suppose SubLocations (P) = [P^,...,P^]. 

(1) Forallisl..k,Pi' Pi. 

(2) IfPVQthenQ = Pi for some i el..k. 
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Finally, the sub-method reachable is described. Computing the sublocations of a 
process gives: 

Reachable (P) - let [i^ , ] = Next (P) in 

[P] + ^Reachable (i^ ) + +... + ^Reachable {P^ ) 

There is one lemma and one proposition associated with this, 

Lemma // F^P.P Q. and Q ^ Q\ then F Q, 

Proposition Suppose Reachable (P) = [P^ , . . . , ] . 

(1) Forallie\..k,P^* P^. 

(2) IfP^* Qthen Q^P^ forsomei e l,.L 

Conclusion 

Although specific embodiments have been illustrated and described herein, it will 
be appreciated by those of ordinary skill in the art that any arrangement which is 
calculated to achieve the same purpose may be substituted for the specific embodiments 
shown. This application is intended to cover any adaptations or variations of the present 
invention. Therefore, it is manifestly intended that this invention be limited only by the 
following claims and equivalents thereof 
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We claim: 



1 . A computer-implemented method operable on a process, the method comprising: 
analyzing the process against a formula using a predetermined modal logic based 

on ambient calculus to determine whether the process satisfies the formula; and, 
ou^utting whether the process satisfies the formula, 

2. The method of claim 1 , wherein analyzing the process comprises analyzing the 
process in a recursive manner. 

3 . The method of claim 1 , wherein analyzing the process comprises normahzing the 
process to determine whether the process comprises only a single element. 

4. The method of claim 1, wherein analyzing the process comprises partitioning the 
process to determine whether each component of the process satisfies the formula. 

5. The method of claim 1, wherein analyzing the process comprises determining a 
plurality of names of the process, and verifying that a name exists for the formula that is 
unequal to any of the plurality of names. 

6. The method of claim 1, wherein analyzing the process comprises analyzing each 
sublocation of the process against the formula. 
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7. The method of claim 1, wherein analyzing the process comprises analyzing a 
spatial reach of the process against the formula. 



8. A computer-implemented method comprising: 

recursively analyzing a process against a formula using a predetermined modal 
5 logic based on ambient calculus comprising: 

normalizing the process to determine whether the process comprises only 
a single element; 

partitioning the process to determine whether each component of the 
process satisfies the formula; 
10 determining a plurality of names of the process, and verifying that a name 

exists for the formula that is unequal to any of the plurality of names; 

analyzing each sublocation of the process against the formula; 
analyzing a spatial reach of the process against the formula; and, 
outputting whether the process satisfies the formula. 

15 9. A machine-readable medium having instructions stored thereon for execution by a 
process to perform a method comprising: 
inputting a process; 

recursively analyzing the process against a formula using a predetermined modal 
logic based on ambient calculus to determine whether the process satisfies the formula; 
20 and, 

outputting whether the process satisfies the formula. 
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10. The medium of claim 9, wherein recursively analyzing the process comprises 
normaUzing the process to determine whether the process comprises only a single 
element. 

1 1 . The medium of claim 9, wherein recursively analyzing the process comprises: 
partitioning the process to determine whether each component of the process 

satisfies the formula; and, 

determining a plurality of names of the process, and verifying that a name exists 
for the formula that is unequal to any of the pluraUty of names. 

12. The medium of claim 9, wherein recursively analyzing the process comprises: 
analyzing each sublocation of the process against the formula; and, 
analyzing a spatial reach of the process against the formula, 

13. A machine-readable medium having instructions stored thereon for execution by a 
process to perform a method comprising: 

recursively analyzing a process against a formula using a predetermined modal 
logic based on ambient calculus comprising: 

normahzing the process to determine whether the process comprises only 
a single element; 

partitioning the process to determine whether each component of the 
process satisfies the formula; 

determining a plurality of names of the process, and verifying that a name 
exists for the formula that is unequal to any of the plurality of names; 
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analyzing each sublocation of the process against the formula; 
analyzing a spatial reach of the process against the formula; and, 
outputting whether the process satisfies the formula. 

14. A computerized system comprising: 
5 a processor; 

a computer-readable medium; 

first data stored on the medium and representing a process; 

second data stored on the medium and representing a formula using a 
predetermined modal logic based on ambient calculus; and, 
10 an analysis program executed by the processor firom the medium to analyze the 

process against the formula in a recursive manner. 

15. The system of claim 14, wherein the analysis program is to normalize the process 
to determine whether the process comprises only a single element. 

16. The system of claim 14, wherein the analysis program is to partition the process 
15 to determine whether each component of the process satisfies the formula. 

1 7. The system of claim 14, wherein the analysis program is to determine a plurality 
of names of the process, and verify that a name exists for the formula that is unequal to 
any of the plurality of names. 
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18. The system of claim 14, wherein the analysis program is to analyze each 
sublocation of the process against the formula. 

19. The system of claim 14, wherein the analysis program is to analyze a spatial reach 
of the process against the formula. 
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ABSTRACT OF THE DISCLOSURE 

Ambient calculus-based modal logic model checking is disclosed. In one 
embodiment, a method receives a process for analysis against a formula, and outputs 
whether it satisfies the formula. In one embodiment, process analysis is conducted in a 
recursive manner. The process is normahzed to determine whether the process comprises 
a single element. The process is partitioned to determine whether each component 
satisfies the formula. A plurality of names of the process is determined, and it is verified 
that a name exists for the fomiula that is unequal to any of the plurality. Each process 
sublocation is analyzed, as well as the spatial process reach. 
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